Cyber attackers are misusing a revoked but still functional kernel driver from the EnCase forensic software to create a powerful tool that neutralizes endpoint security. This "EDR killer" is designed to bypass or deactivate endpoint detection and response (EDR) software and other protective solutions. The method exploits the "Bring Your Own Vulnerable Driver" (BYOVD) tactic, leveraging a legitimate driver's flaws to gain high-level system access.
Researchers at Huntress discovered this custom tool during a recent incident investigation. The attackers initially breached the network by using stolen credentials for a SonicWall SSL VPN that lacked multi-factor authentication. Once inside, they conducted extensive network reconnaissance, including ping sweeps and SMB scans.
The malicious executable specifically abuses an outdated EnCase driver named 'EnPortv.sys.' Although its certificate was issued in 2006 and later revoked, Windows still accepts it due to how Driver Signature Enforcement operates. This is because the system validates the signature's cryptography and timestamp rather than checking revocation lists, and an exception exists for certificates predating July 2015.
Once installed, the driver establishes persistent access by disguising itself as a hardware service. It then uses its kernel-level privileges to terminate processes associated with 59 different security and antivirus products, executing this kill loop every second to prevent restart attempts. This activity bypasses Windows security features like Protected Process Light (PPL).
The intrusion is believed to have been a ransomware operation that was halted prior to final payload deployment. To defend against such attacks, experts strongly recommend enforcing multi-factor authentication on all remote access points and monitoring VPN logs for anomalies. Additional safeguards include enabling Memory Integrity to enforce driver blocklists and deploying rules to block known vulnerable signed drivers.
Read more...